Ian Lance Taylor wrote: > Andreas Bogk <[EMAIL PROTECTED]> writes:
> I think a better way to describe your argument is that the compiler > can remove a redundant test which would otherwise be part of a defense > in depth. That is true. The thing is, most people want the compiler > to remove redundant comparisons; most people don't want their code to > have defense in depth, they want it to have just one layer of defense, > because that is what will run fastest. Exactly. I think that Ian's approach (giving us a warning to help track down problems in real-world code, together with an option to disable the optimizations) is correct. Even if the LIA-1 behavior would make GCC magically better as a compiler for applications that have not-quite-right security checks, it wouldn't make it better as a compiler for lots of other applications. I would rather hope that secure applications would define a set of library calls for some of these frequently-occurring checks (whether, in GLIBC, or libiberty, or some new library) so that application programmers can use them. (I've also been known to claim that writing secure applications in C may provide performance advantages, but makes the security part harder. If someone handed me a contract to write a secure application, with a penalty clause for security bugs, I'd sure be looking for a language that raised exceptions on overflow, bounds-checking failures, etc.) -- Mark Mitchell CodeSourcery [EMAIL PROTECTED] (650) 331-3385 x713
